Skillz are more important than your degree in security

It’s graduation season and time to address careers in IT security. I can’t help thinking back to May 1982, the month 30 years ago when I graduated from the University of Michigan as an aerospace engineer. I had done the rounds of campus interviews but was not excited about going to work for aerospace giants, none of whom were working on rockets. The Space Shuttle program was already completed, with no new rockets in the works anywhere. I had made a grave error when I transferred to Michigan’s aerospace program from Wisconsin halfway through college. My 3.8 GPA was wiped out because grades did not transfer and many credits did not. All those easy-to-ace classes in calculus, physics and chemistry were behind me. Advanced classes in flight dynamics, control systems, thermodynamics and fluids were ahead of me.

I was somewhat duped by Michigan. When I visited to learn more about the program, they closeted me with Dr. Harm Buning, the Dutch professor who had taught Neal Armstrong and Buzz Aldrin orbital mechanics. He regaled me with stories of the golden age of space exploration. I fell for it and transferred in January 1980. It did not take me long to realize that the number two Aerospace program in the country (after MIT) had no courses on rocket propulsion. I had to take independent study on rocket propulsion from the professor whose research and grant money were all devoted to wave propagation in coal dust explosions.

I wanted nothing to do with the aero part of aerospace. I was not interested in airplanes, and I was really not interested in fluid flow and flight control, all pertaining to atmospheric flight. There is no fluid to fly through in space, just vacuum. So, while taking three semesters of classes devoted to Navier Stokes equations of fluid flow, I settled on structures as my specialty. At least I would be able to design the hardware components of rockets.

The 1980s were the early days of computing in engineering. Every one of my text books began “Since the advent of high speed digital computing...” One professor, Bill Anderson, was developing a series of courses on using something called MSC/Nastran to analyze complicated structures using a numerical method called Finite Element Methods (FEM). I took them all.

A month before graduating, there was a two-line add in The Ann Arbor News (yes kids, reading the “Want Ads” used to be the daily routine of all job seekers), which called for an engineer with MSC/Nastran. I applied and was offered the job at the end of the first interview, despite the fact that “I did not exactly set the world on fire with my grades” as the VP of Engineering at Hoover Universal pointed out. I had my first job as an engineer — designing car seats.

I had five years of theoretical background in engineering and science, but I got my first job because I was proficient in a tool.

Which brings me back two words of my advice to anyone who wants to get in to IT security: Learn tools.

I was puzzled by a chart that depicts salary range by college degree. If you hover over the Math and Computer Science bar you will see that computer security graduates have a median salary of $55K. That is lower than anyone I know in the field makes. The reason is that degrees in computer security are new and graduates are still young. I would guess that 99% of people in the field do not have degrees in IT security. It is still a new field and it is advancing rapidly. Universities, I have found, are giving their students theoretical groundings in software assurance, risk, compliance and management. Many of them look down their noses at teaching the use of tools.

IT security is part of a support function for business. The number of two-year rotation programs to train new grads are limited. Most IT departments need to hire today, and they need people who have proficiencies in the commercial tools that are deployed in their environments. So if you want to be found on the job boards, if you want your resume to pop up in searches, you need to have skills (or skillz in hacker speak) in those tools.

Get those skills. Invest in the 2-3 day training classes offered by most security vendors. Figure out what vendors’ products are the “next big thing” and become a specialist in those tools.